Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 8 Oct 2015 14:29:30 +0200
From: Matthijs Kooijman <matthijs@...in.nl>
To: oss-security@...ts.openwall.com
Cc: alejandro@...ian.org, kevin@...nke.ca
Subject: CVE request - perl library UI::Dialog 1.09 - shell escaping
 vulnerability

Hi folks,

can you please assign a CVE for the UI::Dialog perl library? I
(re)discovered a flaw that allows arbitrary command execution when the
library is given untrusted strings to show in a menu prompt.

The flaw was initially reported in 2008 at
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496448 but it seems
this never reached upstream. I recently reported the bug upstream
https://rt.cpan.org/Public/Bug/Display.html?id=107364, see that report
for some additional details.

Upstream has indicated to be working on a fix (see upstream bug), but no
patches are available yet.

Impact seems limited, I'm not aware of any well-known programs that use
this library and are vulnerable (only two Debian packages depend on it,
both use a UI::Dialog backend that is unaffected).

Thanks,

Matthijs

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.